
Congressional 
Research Service 

Informing the legislative debate since 1914 



Cyberwarfare and Cyberterrorism: In Brief 

Catherine A. Theohary 

Specialist in National Security Policy and Information Operations 

John W. Rollins 

Specialist in Terrorism and National Security 
March 27, 2015 



Congressional Research Service 

7-5700 

www.crs.gov 

R43955 



CRS REPORT 

Prepared for Members and 
Committees of Congress — 



Cyberwarfare and Cyberterrorism: In Brief 



Summary 

Recent incidents have highlighted the lack of consensus internationally on what defines a 
cyberattack, an act of war in cyberspace, or cyberterrorism. Cyberwar is typically conceptualized 
as state-on-state action equivalent to an armed attack or use of force in cyberspace that may 
trigger a military response with a proportional kinetic use of force. Cyberterrorism can be 
considered “the premeditated use of disruptive activities, or the threat thereof, against computers 
and/or networks, with the intention to cause harm or further social, ideological, religious, political 
or similar objectives, or to intimidate any person in furtherance of such objectives.” Cybercrime 
includes unauthorized network breaches and theft of intellectual property and other data; it can be 
financially motivated, and response is typically the jurisdiction of law enforcement agencies. 
Within each of these categories, different motivations as well as overlapping intent and methods 
of various actors can complicate response options. 

Criminals, terrorists, and spies rely heavily on cyber-based technologies to support organizational 
objectives. Cyberterrorists are state-sponsored and non-state actors who engage in cyberattacks to 
pursue their objectives. Cyberspies are individuals who steal classified or proprietary information 
used by governments or private corporations to gain a competitive strategic, security, financial, or 
political advantage. Cyberthieves are individuals who engage in illegal cyberattacks for monetary 
gain. Cyberwarriors are agents or quasi-agents of nation-states who develop capabilities and 
undertake cyberattacks in support of a country’s strategic objectives. Cyberactivists are 
individuals who perform cyberattacks for pleasure, philosophical, political, or other nonmonetary 
reasons. 

There are no clear criteria yet for determining whether a cyberattack is criminal, an act of 
hactivism, terrorism, or a nation-state’s use of force equivalent to an armed attack. Likewise, no 
international, legally binding instruments have yet been drafted explicitly to regulate inter-state 
relations in cyberspace. 

The current domestic legal framework surrounding cyberwarfare and cyberterrorism is equally 
complicated. Authorizations for military activity in cyberspace contain broad and undefined 
terms. There is no legal definition for cyberterrorism. The USA PATRIOT Act’s definition of 
terrorism and references to the Computer Fraud and Abuse Act appear to be the only applicable 
working construct. Lingering ambiguities in cyberattack categorization and response policy have 
caused some to question whether the United States has an effective deterrent strategy in place 
with respect to malicious activity in cyberspace. 



Congressional Research Service 



Cyberwarfare and Cyberterrorism: In Brief 



Contents 

Introduction 1 

The Cyberwarfare Ecosystem: A Variety of Threat Actors 2 

Cyberwarfare 4 

Rules of the Road and Norm-Building in Cyberspace 4 

Cyberterrorism 9 

Use of the Military: Offensive Cyberspace Operations 10 

Contacts 

Author Contact Information 12 



Congressional Research Service 



Cyberwarfare and Cyberterrorism: In Brief 



Introduction 

“Cyberattack” is a relatively recent term that can refer to a range of activities conducted through 
the use of information and communications technology (1CT). The use of distributed denial of 
service (DDoS) attacks has become a widespread method of achieving political ends through the 
disruption of online services. In these types of attacks, a server is overwhelmed with Internet 
traffic so access to a particular website is degraded or denied. The advent of the Stuxnet worm, 
which some consider the first cyberweapon, showed that cyberattacks may have a more 
destructive and lasting effect. Appearing to target Iran, Stuxnet malware attacked the 
computerized industrial control systems on which nuclear centrifuges operate, causing them to 
self-destruct. 

Recent international events have raised questions on when a cyberattack could be considered an 
act of war, and what sorts of response options are available to victim nations. Although there is no 
clear doctrinal definition of “cyberwarfare,” it is typically conceptualized as state-on-state action 
equivalent to an anned attack or use of force in cyberspace that may trigger a military response 
with a proportional kinetic use of force. Cyberterrorism can be considered “the premeditated use 
of disruptive activities, or the threat thereof, against computers and/or networks, with the 
intention to cause harm or further social, ideological, religious, political or similar objectives, or 
to intimidate any person in furtherance of such objectives.” Cybercrime includes unauthorized 
network breaches and theft of intellectual property and other data; it can be financially motivated, 
and response is typically the jurisdiction of law enforcement agencies. 

The cyberattacks on Sony Entertainment illustrate the difficulties in categorizing attacks and 
formulating a response policy. On November 24, 2014, Sony experienced a cyberattack that 
disabled its information technology systems, destroyed data and workstations, and released 
internal emails and other materials. Warnings surfaced that threatened “9/11 -style” terrorist 
attacks on theaters scheduled to show the film The Interview, causing some theaters to cancel 
screenings and for Sony to cancel its widespread release, although U.S. officials claimed to have 
“no specific, credible intelligence of such a plot.” The Federal Bureau of Investigation (FBI) and 
the Director of National Intelligence (DNI) attributed the cyberattacks to the North Korean 
government; North Korea denied involvement in the attack, but praised a hacktivist group, called 
the “Guardians of Peace,” for having done a “righteous deed.” During a December 19, 2014, 
press conference, President Obama pledged to “respond proportionally” to North Korea’s alleged 
cyber assault, “in a place, time and manner of our choosing.” President Obama referred to the 
incident as an act of “cyber- vandalism,” while others decried it as an act of cyberwar. 

This incident illustrates challenges in cyberattack categorization, particularly with respect to the 
actors involved and their motivations as well as issues of sovereignty regarding where the actors 
were physically located. With the globalized nature of the Internet, perpetrators can launch 
cyberattacks from anywhere in the world and route the attacks through servers of third-party 
countries. Was the cyberattack on Sony, a private corporation with headquarters in Japan, an 
attack on the United States? Further, could it be considered an act of terrorism, a use of force, or 
cybercrime? In categorizing the attacks on Sony as an act of “cyber vandalism,” which typically 
includes defacing websites and is usually the realm of politically motivated actors known as 
“hacktivists,” President Obama raised questions of what type of response could be considered 
“proportional,” and against whom. Another potential policy question could be the circumstances 
under which the United States would commit troops to respond to a cyberattack. Related to this is 
the question of whether the U.S. has an effective deterrence strategy in place. According to DNI 



Congressional Research Service 



1 



Cyberwarfare and Cyberterrorism: In Brief 



Clapper, “If they get global recognition at a low cost and no consequence, they will do it again 
and keep doing it again until we push back.” 1 



The Cyberwarfare Ecosystem: A Variety of Threat Actors 

Criminals, terrorists, and spies rely heavily on cyber-based technologies to support organizational 
objectives. Commonly recognized cyber-aggressors and representative examples of the harm they 
can inflict include the following: 

Cyberterrorists are state -sponsored and non-state actors who engage in cyberattacks to pursue 
their objectives. Transnational terrorist organizations, insurgents, and jihadists have used the 
Internet as a tool for planning attacks, radicalization and recruitment, a method of propaganda 
distribution, and a means of communication, and for disruptive purposes. 2 While no unclassified 
reports have been published regarding a cyberattack on a critical component of U.S. 
infrastructure, the vulnerability of critical life-sustaining control systems being accessed and 
destroyed via the Internet has been demonstrated. In 2009, the Department of Homeland Security 
(DHS) conducted an experiment that revealed some of the vulnerabilities to the nation’s control 
systems that manage power generators and grids. The experiment, known as the Aurora Project, 
entailed a computer-based attack on a power generator’s control system that caused operations to 
cease and the equipment to be destroyed. 3 Cyberterrorists may be seeking a destructive capability 
to exploit these vulnerabilities in critical infrastructure. 

Cyberspies are individuals who steal classified or proprietary information used by governments or 
private corporations to gain a competitive strategic, security, financial, or political advantage. 
These individuals often work at the behest of, and take direction from, foreign government 
entities. Targets include government networks, cleared defense contractors, and private 
companies. For example, a 201 1 FBI report noted, “a company was the victim of an intrusion and 
had lost 10 years’ worth of research and development data — valued at $1 billion — virtually 
overnight.” 4 Likewise, in 2008 the Department of Defense’s (DOD) classified computer network 
system was unlawfully accessed and “the computer code, placed there by a foreign intelligence 
agency, uploaded itself undetected onto both classified and unclassified systems from which data 
could be transferred to servers under foreign control.” 5 

Cyberthieves are individuals who engage in illegal cyberattacks for monetary gain. Examples 
include an organization or individual who illegally accesses a technology system to steal and use 
or sell credit card numbers and someone who deceives a victim into providing access to a 



1 See http://www.bloomberg.com/politics/articles/2015-01-07/clapper-warns-of-more-potential-north-korean-hacks- 
after-sony. 

“ For additional information, see CRS Report RL33 123, Terrorist Capabilities for Cyberattack: Overview and Policy 
Issues, by John W. Rollins and Clay Wilson. 

3 See “Challenges Remain in DF1S’ Efforts to Security Control Systems,” Department of Homeland Security, Office of 
Inspector General, August 2009. For a discussion of how computer code may have caused the halting of operations at 
an Iranian nuclear facility see CRS Report R41524, The Stuxnet Computer Worm: Harbinger of an Emerging Warfare 
Capability, by Paul K. Kerr, John W. Rollins, and Catherine A. Theohary. 

4 Executive Assistant Director Shawn Henry, Responding to the Cyber Threat, Federal Bureau of Investigation, 
Baltimore, MD, 2011. 

5 Department of Defense Deputy Secretary of Defense William J. Lynn III, “Defending a New Domain,” Foreign 
Affairs, October 2010. 



Congressional Research Service 



2 



Cyberwarfare and Cyberterrorism: In Brief 



financial account. One estimate has placed the annual cost of cybercrime to individuals in 24 
countries at $388 billion. 6 However, given the complex and sometimes ambiguous nature of the 
costs associated with cybercrime, and the reluctance in many cases of victims to admit to being 
attacked, there does not appear to be any publicly available, comprehensive, reliable assessment 
of the overall costs of cyberattacks. 

Cyberwarriors are agents or quasi-agents of nation-states who develop capabilities and undertake 
cyberattacks in support of a country’s strategic objectives. 7 These entities may or may not be 
acting on behalf of the government with respect to target selection, timing of the attack, and 
type(s) of cyberattack and are often blamed by the host country when accusations are levied by 
the nation that has been attacked. Often, when a foreign government is provided evidence that a 
cyberattack is emanating from its country, the nation that has been attacked is informed that the 
perpetrators acted of their own volition and not at the behest of the government. In August 2012 a 
series of cyberattacks were directed against Saudi Aramco, the world’s largest oil and gas 
producer. The attacks compromised 30,000 computers and the code was apparently designed to 
disrupt or halt oil production. Some security officials have suggested that Iran may have 
supported this attack. However, numerous groups, some with links to nations with objectives 
counter to Saudi Arabia, have claimed credit for this incident. 

Cyberactivists are individuals who perform cyberattacks for pleasure, philosophical, political, or 
other nonmonetary reasons. Examples include someone who attacks a technology system as a 
personal challenge (who might be termed a “classic” hacker), and a “hacktivist” such as a 
member of the cyber-group Anonymous who undertakes an attack for political reasons. The 
activities of these groups can range from nuisance-related denial of service attacks and website 
defacement to disrupting government and private corporation business processes. 

The threats posed by these cyber-aggressors and the types of attacks they can pursue are not 
mutually exclusive. For example, a hacker targeting the intellectual property of a corporation may 
be categorized as both a cyberthief and a cyberspy. A cyberterrorist and cyberwarrior may be 
employing different technological capabilities in support of a nation’s security and political 
objectives. Some reports indicate that cybercrime has now surpassed the illegal drug trade as a 
source of funding for terrorist groups, although there is some confusion as to whether a particular 
action should be categorized as cybercrime. 8 Ascertaining information about an aggressor and its 
capabilities and intentions is difficult. 9 The threats posed by these aggressors coupled with the 
United States’ proclivity to be an early adopter of emerging technologies, 10 which are often 



11 For discussions of federal law and issues relating to cybercrime, see CRS Report 97-1025, Cybercrime: An Overview 
of the Federal Computer Fraud and Abuse Statute and Related Federal Criminal Laws, by Charles Doyle, and CRS 
Report R41927, The Interplay of Borders, Turf Cyberspace, and Jurisdiction: Issues Confronting U.S. Law 
Enforcement, by Kristin Finklea. 

7 For additional information, see CRS Report R43848, Cyber Operations in DOD Policy and Plans: Issues for 
Congress, by Catherine A. Theohary. 

8 Lillian Ablon, Martin C. Libicki, Andrea A. Golay, Markets for Cybercrime Tools and Stolen Data: Hackers ’ Bazaar, 
RAND. For more information on cybercrime definitions, see CRS Report R42547, Cybercrime: Conceptual Issues for 
Congress and U.S. Law Enforcement, by Kristin Finklea and Catherine A. Theohary. 

9 The concept of attribution in the cyber world entails an attempt to identify with some degree of specificity and 
confidence the geographic location, identity, capabilities, and intention of the cyber-aggressor. Mobile technologies and 
sophisticated data routing processes and techniques often make attribution difficult for U.S. intelligence and law 
enforcement communities. 

10 Emerging cyber-based technologies that may be vulnerable to the actions of a cyber-aggressor include items that are 
in use but not yet widely adopted or are currently being developed. For additional information on how the convergence 
(continued...) 



Congressional Research Service 



3 



